I left windows on my last remaining because I got tired of having to wait hours for the virus scans every time I turned on the machine. True that was with XP, but a company that thrives on market domination, corruption to accomplish said domination, and is known to have bugs around for years, is not someone who I trust with security. It is simply that security and everything but the kitchen sink in the code, including legacy compatibility and legacy code, do not go together.
I worked for a while at a software house, and we had to write code around MS bugs because they would not fix them, even though we were a development partner. These were not security bugs, but regardless, they were not sensitive to the needs of their developers, except maybe the largest customers. I have never had any problems with any of my Linux installations, and only one virus was ever found with my OS-X machines. In contrast, I had numerous problems with my windows machines, even after fresh installs and updates. That said, I don't think in this forum we should try and convince people or convert them to what we think. If the gentleman is content with MS security (and I am taking his words at face value, not a bait), let him use it and enjoy the outcome. Just my two cents. Zvi. On Tue, May 11, 2010 at 4:21 PM, Micha Feigin <mi...@post.tau.ac.il> wrote: > On Tue, 11 May 2010 23:50:49 +0300 > Elazar Leibovich <elaz...@gmail.com> wrote: > > > I guess we'll stay divided, but still, for the sake of the completion I > want > > to clarify my argument. > > My point is, that some security decisions (for example, the "Tuesday > patch" > > you mentioned), even if they are very wrong (and obviously, MS security > guys > > would beg to differ) doesn't play a very big role in the overall security > of > > your products. > > However good software engineering practices plays a big role, and MS is > ----------------------------------------------- > > you're joking, right? > > They are still at the point of let's get it into the market and worry about > making it work right later on > (see windows Vista, or Fichsta as I like to call it for example. Win 7 is > still > not half there either, see the new graphic driver model for examples which > you > won't believe how much trouble it causes, virtual memory on the video card > handled by the operating system behind the drivers back ...) > > > doing that big time, and putting a lot of resources for secure software > > development. So the question whether or not the Tuesday Patch is a good > > idea, and whether or not full disclosure is a good idea matters much less > > than the question whether or not they have security expert evaluating the > > security of each and every software signed by MS. > > About the complexity of Windows and backwards compatibility, it is indeed > an > > issue which any company which develops for Windows need to handle with. I > > really don't see how is it related. Keep in mind that MS is making much > more > > software than just the windows OS. > > > > On Tue, May 11, 2010 at 8:49 PM, Gilboa Davara <gilb...@gmail.com> > wrote: > > > > > On Tue, 2010-05-11 at 20:23 +0300, Elazar Leibovich wrote: > > > > Why do you think that MS believe in security by obscurity? I believe > > > > that security problems in MS products are generally speaking being > > > > released to the wild. > > > > Why I think MS products has better chance to be secure than your > local > > > > Joe Software shop, because they're having strict policies which are > > > > supposed to enforce that: > > > > 1) The SDL development process, which includes fuzz testing the > > > > software specifically against security breaches. Every MS software > > > > must undergo that. Do regular software you use do? > > > > 2) Cryptography awareness. Every product which uses crypto must be > > > > authorized by a specialized crypto group. Crypto is a thing which is > > > > easy to create and hard to verify. Is Winzip encryption algorithm > > > > being reviewed by crypto expert? I'd rather know that the software I > > > > use had a strong peer review. > > > > Correct me if I'm wrong, but this two processes are hardly seen in > > > > other places of the software industry. > > > > > > ... I doubt that any of the above has anything to do with the points I > > > raised in my previous post, but never-mind, lets agree no to agree. > > > > > > - Gilboa > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Linux-il mailing list > > > Linux-il@cs.huji.ac.il > > > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > -- Check out my web site - www.words2u.net
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il